Next assignment is creating a polymorphic version of three existing shellcode samples, found on shell-storm.org.
Requirements:
– Take up 3 shellcodes from shell-storm and create polymorphic versions of them to beat pattern matching
– Polymorphic versions cannot be larger 150% of existing shellcode
– Bonus points for making shorter in length than original
Polymorphic
So what is this polymorphic thingy? Well, it’s a method for modifying existing shellcode in such a way it would be less detectable by signatures based mitigation products, such as AV (Anti-Virus) or IDS/IPS’es (Intrusion Detection Systems / Instrusion Prevention Systems).
These products tend to check for known strings, opcodes or other behaviour which might trigger a certain threshold or alarm when a certain part of assembly-code is suspicious. Various methods exist to mitigate possible detection mechanisms, although we’ll be adjusting existing shellcode in an attempt to evade possible detection.
Steps to be taken:
– Pick three shellcodes
– Analyse and comment
– Modify and improve
– Upload to an online-viruscheck tool, such as Virustotal.com
– Check the results
Additional steps:
Although we take quite some steps before we actually run shellcode, it should be obvious that blindly running shellcode never is a good idea. Shell-storm.org has a quite good repository which trustworthy shellcodes, but it should be noted that analysing shellcode before running would be a prerequisite for common sense.
Chosen shellcodes:
• Linux/x86 – Reverse TCP bind shell – 92 bytes by Russell Willis
◇ http://shell-storm.org/shellcode/files/shellcode-849.php
• Linux/x86 – ASLR deactivation – 83 bytes by Jean Pascal Pereira
◇ http://shell-storm.org/shellcode/files/shellcode-813.php
• Linux/x86 – sends Phuck3d! to all terminals – 60 bytes by condis
◇ http://shell-storm.org/shellcode/files/shellcode-604.php